Yellow font on Black background Black font on White background Black font on Cream background
Call us today 01621 857841 or Email us
Quality Matters Logo

"Quality Matters in your Business"

Tuesday, 23 December 2008

Security and the Credit Crunch

The credit crunch has made the criminal fraternity even more determined to separate us from our hard earned cash.

Some of the latest scams are cleverer than ever; take the email currently doing the rounds, it says the most destructive virus ever is coming so email this warning to everyone you know, If you receive an email from someone you know with POSTCARD FROM HALLMARK, do not open it otherwise your hard disk will be totally erased. It is a hoax of course but people have been forwarding this email to their entire address book, unfortunately they have been sending the email to their address book as cc rather than then hidden bcc. The effect is that millions of email addresses are circulating the internet. Then bad guys then harvest these emails and use them as direct targeted email. This may entice us to part with passwords etc.

Emails sent from our banks asking for log-in and passwords to re-activate an account are again spurious as no bank would ever ask for this information in an email.

Prize winning emails which only require us to give bank details, full name, date of birth and usually a mother’s maiden name risk us being victims to identity fraud.

The one I think is particularly clever is the email supposedly from the HMRC saying that I had overpaid my tax and if I would care to send them my bank details they would credit the amount directly into my account.

And finally a word of caution about credit and debit cards; never let your credit or debit card out of your sight. If a chip and pin machine is used always insert the card yourself and NEVER tell the shop or other supplier your pin number. If you buy online always check that you are entering your details into a secure web-site. If there is a padlock shown and the site is https and not http.

I hope you can spend your money on those you choose and not let the criminals steal it.

Happy Christmas shopping.

Tuesday, 18 November 2008

ISO9001 Quality Management Standard

This standard was last updated in the year 2000 and should have been reviewed last year but this was delayed until 2008.

The main changes in IS9001:2008 are as follows:

Clause 0.2 (Process approach)
Text added to emphasise the importance of processes being capable of
achieving desired outputs

Clause 1.1 (Scope)
  • Clarification that product also includes intermediate product
  • Information regarding statutory, regulatory and legal requirements

Clause 4.1 (General requirements)
  • Notes added to explain more about outsourcing
  • Types of control that may be applied to outsourced processes
  • Relationship to clause 7.4 (Purchasing)
  • Clarification that outsourced processes are still responsibility of the organisation and must be included in the quality management system

Clause 4.2.1 (Documentation)
  • Clarification that QMS documentation also includes records
  • Documents required by the standard may be combined
  • ISO 9001 requirements may be covered by more than one documented Procedure

Clause 4.2.3 (Document control)
Clarification that only external documents relevant to the QMS need to be

Clause 4.2.4 (Control of records)
Editorial changes only (better alignment with ISO 14001)

Clause 5.5.2 (Management representative)
States that this must be a member of the organisation's own management

Clause 6.2.1 (Human resources)
Clarification that competence requirements are relevant for any personnel who
are involved in the operation of the quality management system

Clause 6.3 (Infrastructure)
Includes information systems as example

Clause 6.4 (Work environment)
Clarifies that this includes conditions under which work is performed and Includes (for example physical, environmental and other factors such as noise,
Temperature, humidity, lighting, or weather)

Clause 7.2.1 (Customer related processes)
Clarifies that post-delivery activities may include:
  • Actions under warranty provisions
  • Contractual obligations such as maintenance services
  • Supplementary services such as recycling or final disposal

Clause 7.3.1 (Design & development planning)
Clarifies that design and development review, verification and validation have
distinct purposes. These may be conducted and recorded separately or in any combination as suitable for the product and the organisation

Clause 7.3.3 (Design & development outputs)
Clarifies that information needed for production and service provision includes
preservation of the product

Clause 7.5.4 (Customer property)
Explains that both intellectual property and personal data should be considered
as customer property

Clause 7.6 (Now called Control of Monitoring and Measuring equipment)
Explanatory notes added regarding the use of computer software:
"Confirmation of the ability of computer software to satisfy the intended
application would typically include its verification and configuration management
to maintain its suitability for use."

Clause 8.2.1 (Customer satisfaction)
Note added to explain that monitoring of customer perception may include input
from sources such as customer satisfaction surveys, customer data on delivered
product quality, user opinion surveys, lost business analysis, compliments, and
dealer reports

Clause 8.2.3 (Monitoring / Measurement of process)
Note added to clarify that when deciding on appropriate methods, the organisation should consider impact on the conformity to product requirements and on the effectiveness of the quality management system.

The changes are so minor and no new requirements have been introduced that little effort will be required by users of the standard to achieve certification to the 2008 standard.

Monday, 3 November 2008

Health & Safety & BS OHSAS 18001

My office is in a Business Park but on of my windows looks out on to some houses. Last week I was treated to an exhibition of all the things that builders shouldn't do.

Let me explain, the householder has sensibly decided to have cavity wall insulation installed but the workmen who arrived to do the job were rather cavalier in their attitude to health and safety. At one point one of them was standing on the apex of the attached garage leaning precariously out while holding a masonry drill; as he attempted to drill holes in the outer wall he kept losing his balance and I am amazed that he didn't fall. Some of the places he needed to drill were too high even for him and he proceeded to get a ladder from his van. Instead of using a scaffold tower, as required by law; he climbed up the ladder using one hand while dragging the electric drill with the other. I expected that, at the very least, his partner would have held the bottom of the ladder but no, he was preparing the equipment for injecting the foam insulation.

I am fairly sure that these two were not operating their company health and safety policies but were just lazy.

I had to go out to visit a client so I do not know how it all ended. I hope that it did not end in tears.

It is hardly surprising to know that the majority of industrial accidents occur on building sites and most involve some sort of powered tool.

I wish these two lads a long and healthy life but if their performance recently was anything to go by, I think that very optimistic. While I realise that youth seem to think they are totally invulnerable, I was young once myself after all, the safeguards offered by the modern health and safety legislation are not designed to restrict personal freedom, they can, and often do, save lives.

Before undertaking any work of this type they should have carried out a risk assessment, not a huge job given then task in hand. Then they should have used the correct protective equipment and safe working practices.

Monday, 20 October 2008

Environmental Measures and Common Sense

Readers of this blog will know that I always advocate environmentally friendly measures and it is becoming increasingly clear that these measures are becoming the norm rather that the exception.

Measure 1 - I drive a Hybrid car - Not only does this car give me a good miles per gallon figure, it is comfortable, I pay only £15 per year road tax and I am exempt from congestion charges;

Measure 2 - By reducing my speed from 70 to 65 miles per hour, I have found that I now get between 55-60 miles per gallon. With fuel cost now becoming a significant expense this is a considerable saving.

Measure 3 - By reducing the thermostat by one to two degrees my heating bill will be reduced; it may not offset the huge rises in energy costs but it must go part way.

Measure 4 - I now turn off lights that are really not needed during the day; I open the blinds to let in natural daylight. The savings may not be great but contribute to then overall saving even with energy saving lighting.

Measure 5 - No equipment is left on standby; to do so would be wasting energy and money.

Measure 6 - If I feel cold; I put on a jumper rather than turning up the heat; I am often staggered to see people in summer clothes complaining about feeling chilly.

Measure 7 - I have changed Banks- not only because my previous Bank gave me such rotten service but my new Bank is within walking distance. No Car needed.

Measure 8 - We recycle as much as we can to reduce our impact on the environment.

Measure 9 - We buy in season food to reduce then air miles that our food travels; some of our food has travelled 10's of miles rather than hundreds.

Measure 10 - We buy our goods and services locally, wherever we can to reduce our carbon footprint.

Am I a crank, or just gloating at saving money (and the Planet)? I suspect that 10 years ago I may have been considered a crank but nowadays I am perfectly normal, and richer.

Monday, 6 October 2008

Data Security & You

There has been considerable interest, and dismay, at the number of times sensitive data has been lost or stolen, indeed the amount of data lost seems directly proportional to the technological advances in devices and perhaps the stupidity or arrogance of their owners.

Desktop computers - these are sitting on our desks giving access to vast amounts of data, yet many people get up and leave their desks without a thought to the risk they are taking. I always lock my desk computer before leaving it, even for a few minutes, because I understand that a moments inattention could put my data at risk and seriously damage my reputation as a security conscious individual.

Laptop computers - these are becoming smaller and smaller. My latest acquisition has an 8.9 inch screen, no hard drive and is small enough to slip into my briefcase. The down side of this is that it is even easier to lose. I encrypt my data so that would not be a problem but the loss of the thing would be very inconvenient. The data is, however, safe.

Memory sticks and SDHC cards - probably the greatest threat to data known today. These tiny devices can hold giga bytes of data and yet can slip easily into a pocket. These devices should always be encrypted, but sadly many are not. All my data sticks have the ability to lock and encrypt data.

Mobile phones and PDA devices - most people do not activate the pin number lock to prevent unauthorised access and a s such they risk having their phone numbers taken, their email contacts list taken and if secret pin numbers and passwords are stored, then these are at risk. Add to that the ability of many devices to access business based systems and email remotely then it is easy to see what a major security threat these unprotected devices can pose.

I use a pin to protect my PDA and have set a pin to protect the sim card as well. If my device was lost or stolen, I can send it a text message which locks the PDA and no amount of fiddling will unlock it, even if a new sim card is inserted and the factory defaults enabled.

A recent survey mounted by the BBC shows just how many electronic devices are left in cabs. The number is staggering. The value of data and equipment is vast.

Moral - keep devices safe, encrypt data, activate pin numbers on phones and PDAs.

Tuesday, 23 September 2008

A Directors' brief on ISO27001 Information Security Management

It is generally accepted that information is the greatest asset any organisation has under its control. Managing Directors are aware that the supply of complete and accurate information is vital to the survival of their organisations.

Today more and more organisations are realising that information security is a critical business function. It is not just an IT function but covers:

  1. Governance;
  2. Risk Management;
  3. Physical Security;
  4. Business Continuity;
  5. Regulatory and Legislative Compliance.

Information Security

Business has been transformed by the use of IT systems, indeed it has become central to delivering business efficiently. The use of bespoke packages, databases and email have allowed businesses to grow while encouraging remote communication and innovation.

Most businesses rely heavily on IT but critical information extends well beyond computer systems. It encompasses knowledge retained by people, paper documents as well as traditional records held in a variety of media. A common mistake when incorporating an information security system is to ignore these elements and concentrate only on the IT issues.

Information security is a whole organisation matter and crosses departmental boundaries. It is more than just keeping a small amount of information secret; your very success is becoming more dependent upon the availability and integrity of critical information to ensure smooth operation and improved competitiveness.

  1. Confidentiality
  2. Integrity
  3. Availability

These are the three requirements for any ISMS.

Managing Directors' Perspective

Your vision is central to organisational development; driving improvements in all areas of the business to create value. With information technology being key to so many change programmes, effective information security management systems are a prerequisite to ensuring that systems deliver on their business objectives. Your leadership can help create the appropriate security culture to protect your business.

Organisations are increasingly being asked questions about ISO 27001, particularly by national or local government, professional and the financial sector. This is being driven by adoption of the standard as part of their legal and regulatory obligations. In some areas this is becoming a tender requirement.

Others are seeing a competitive advantage in leading their sector and using certification in information security management to develop customer/ client confidence and win new business. With public concern over security issues at an all time high, there is a real need to build effective marketing mechanisms to show how your business can be trusted.

You will certainly be aware of your responsibilities for effective governance, and be answerable for damaging incidents that can affect organisational value. The risk assessment, which is the foundation of the standard is designed to give you a clear picture of where your risks are and to facilitate effective decision making. This translates into risk management, not simply risk reduction and therefore replaces the feeling many directors have of risk ignorance in this area. This will help you understand the potential risks involved with the deployment of the latest information technologies and will enable you to balance the potential downside with the more obvious benefits.

Whether, as part of compliance, such as required by Professional Bodies, Sarbanes Oxley, Data Protection Act, or as part of an effective governance, information security is a key component of operational risk management. It enables the formulation of effective risk analysis and measurement, combined with transparent reporting of ongoing security incidents to refine risk decisions.

Giving values to the impact security incidents can have on your business is vital. Analysis of where you are vulnerable allows you to measure the probability that you will be hit by security incidents with direct financial consequences.

An added benefit of the risk assessment process is that it gives you a thorough analysis of your information assets, how they can be impacted by attacks on their confidentiality, integrity and availability, and a measure of their real value to your business.

Although the detail within the risk assessment process can be complex, it is also possible to translate this into clear priorities and risk profiles that the Board can make sense of, leading to more effective financial decision making.

Business Continuity

How well would you cope if a disaster affected your business?

This could be from some natural cause such as flood, storm or worse from fire, terrorism or other civil unrest. The areas not often considered are sickness, failure of utilities or technology breakdown.

Business continuity planning in advance of a disaster can mean the difference between survival or extinction of the business.

Many of the businesses affected by the Bunsfield Fuel Depot disaster never recovered. Those with an effective business continuity plan have emerged like the phoenix from the ashes.

Many businesses claim to have a plan but if the plan is untested or ill prepared then it is bound to fail.

ISO27001 states that a fully planned and tested BCP should be in place to prepare for and be able to deal with, such an emergency.

ISO 27001 Sections

  • Security policy - This provides management direction and support for information security.
  • Organisation of assets and resources - To help manage information security within the organisation.
  • Asset classification and control - To help identify assets and protect them appropriately.
  • Human resources security - To reduce the risks of human error, theft, fraud or misuse of facilities.
  • Physical and environmental security - To prevent unauthorised access, damage and interference to business premises and information.
  • Communications and operations management - To ensure the correct and secure operation of information processing facilities.
  • Access control - To control access to information
  • Information systems acquisition, development and maintenance - To ensure that security is built into information systems.
  • Information security incident management -To deal effectively with any identified security incident.
  • Business continuity management - To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters.
  • Compliance - To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations, and any security requirement.

Monday, 8 September 2008

Security and Banks

I have just been through a most frustrating time with my bank. It all started when my landlord increased the rent and service charges for our offices in Tolleshunt Major; I went online, accessed my account and tried to amend the standing order to take account of the increased charges; a message told me that I couldn't do this on line but to contact the help desk.

I rang the help desk and was asked the usual security questions and one answer was rejected. I re-iterated that my answer was correct and the lady re-entered it only to have it rejected again. She obviously had entered it incorrectly as I had entered the same information to get online in the first place. I said that she must have entered the information incorrectly as I was on line. The next thing she says that the system has locked me out and she would have to pass me through to the online team. I expected the online team to unlock my account, but no; They would send me a form which I could complete and return to them and I would get an activation code to get me going again.

A week later the form arrived and I signed the appropriate part and sent it back. Four days later I received a letter telling me that they had had some technical problems with my log in and here was a temporary activation code which would be ok for a few weeks but they would need to change my customer number and supply me a new activation code for that new number. The activation code did not work so I telephoned again only to be told that they should not have sent the temporary activation code and had cancelled it before it arrived.

I asked when I could expect the new information and activation code; a few days was the response. A few days later the new customer number arrived and then the following day a new activation code.

With much trepidation I entered the new customer number and activation code; so far so good. I was then asked for a 4 digit pin number and a complex password. The password was accepted but the pin number was rejected. I telephoned yet again only to be told that any pin number cannot have a repeated number in it nor consecutive numbers. My pin number did have two numbers the same in the sequence but not sequential. I had used then same pin number for some time but change my password frequently. This was not good enough for NatWest. I was told either I used all their security requirements or I couldn't use their on line system at all. I protested saying that my security was ok two weeks ago before they messed up my access but not now. I asked if the Bank's security was more important than customer service. The sheer indifference shown by the chap on the other end of the phone left me in no doubt that I could do what I liked but they would not move at all.

This was the final straw in a saga that goes back months and included wrongly debiting my account with amounts that bore no relation to the printed cheques that my sage system had prepared, deducting income tax from the interest paid on business deposit account and then taking three months to repay it.

My branch bank manager keeps apologising but cannot do anything with the bureaucracy that is the bank.

Apparently I am an ideal customer, never pestering the bank staff, never exceeding my overdraft, never complaining about the charges levied. Prepare few cheques and carry out most of my banking online so there is little for the bank to administer . Our deposit account has a reasonable balance in it and my Gold Business card, used for business expenses is never over the agreed limit. So why treat me so badly? Perhaps it is a sign of the times where Banks have a virtual stranglehold on their customers, make an obscene amount of money and employ morons in call centres.

I am actively seeking another bank to handle my business banking; will I be able to find a good bank? I don’t know but surely customer service cannot be a bad as that I have been subjected to.

It is also strange that Quality Matters sets up secure systems including ISO27001 and we always advocate good security but we recognise, as do most institutions, that security is a trade off between total security where nothing gets done and lax security where systems are at severe risk. We know that there is a compromise point where good security also allows users to get on with their business. The balance seems to be lost on my bank.

Security gone mad.

Monday, 25 August 2008

The Credit Crunch and how to survive it

When times get hardand it becomes difficult to maintain business levels and make money, the credit crunch and slow down in the economy is particularly unwelcome. So what can you do about it? You can work 'smarter' rather than harder, streamline your business, seek out inefficiencies and rectify them.

ISO9001, the quality management standard, has always been a method to incorporate best practice within any organisation. It brings in measures of customer satisfaction, which are essential during hard times, these help businesses to improve their attractiveness to customers and help to target new ones. The very last thing that any business wants is to have goods returned or services to be carried out again free of charge.

Continual improvement is also highlighted, as is the reduction of errors and mistakes. The Standard, if properly implemented, brings any business improved efficiency and better control of the quality of products and services.

The added advantage of a good quality management system is that an external authority is certifying that the systems employed by the business are effective and meet the requirements set out by the international standards organisation.

These include:

Documentation Requirements
  • Quality Manual
  • Control of Documents
  • Control of Records
Management Responsibility
  • Customer Focus
  • Quality Policy
  • Planning
  • Responsibility, Authority and Communication
  • Internal Communication
  • Management Review
Resource Management
  • Provision of Resources
  • Human Resources
  • Competence, Awareness and Training
  • Infrastructure
  • Work Environment
Product & Service Delivery
  • Planning of Product Realisation
  • Customer-Related Processes
  • Design and development
  • Purchasing
  • Product Provision & Service Delivery
  • Preservation of Product
  • Control of Monitoring and Measuring Equipment
Measurement, Analysis and Improvement
  • Measuring Customer Satisfaction
  • Internal Audit
  • Monitoring & Measurement of Processes
  • Monitoring & Measurement of Product or Service
  • Control of Nonconforming Product
  • Continual Improvement
  • Corrective Action
  • Preventive Action
If these elements are established and operated then the company is in the best position to weather the storms ahead.

Wednesday, 6 August 2008

Internal Quality / Environmental Auditing

The ISO 9000 and ISO 14001 series of International Standards emphasise the importance of auditing as a management tool for monitoring and verifying the effective implementation of an organisation's policy for quality and/or environmental management.

A Quality or Environmental Audit is a systematic, independent examination of a quality or environmental management system. These audits are typically performed at defined intervals and ensure that the organisation has clearly defined internal quality or environmental monitoring procedures linked to effective action. The checking determines if the management system complies with applicable regulations or standards.

It is not enough to put a quality or environmental system into place; it must be tested on a regular basis, to ensure it is working, . . . . . . . . . . . . AUDITING.

The checks will include:
  • The management system documentation; does it adequately define the needs of the business?

  • The documented procedures and processes; are they practical, understood and being followed?

  • The training; is it adequate?

The timing and frequency of audits will vary depending on the importance of a particular part of the system but is predetermined and recorded. The audits are carried out by responsible persons independent of the activity being audited.

It is useful to have an audit programme spanning a set period.

The results of audits must be documented and should include the following:

  • The non-conformities found;

  • The corrective action required;

  • The agreed time for corrective action to be carried out.

Persons conducting audits should be properly trained to carry out the task objectively and effectively. Clearly, it is essential that everyone carrying out internal auditing should audit to the same standard.

Quality Matters has been providing these certificated courses since 1992 and are
designed to provide professional training in the principles and practice of audits of management systems for compliance with ISO 9001:2000, ISO14001:2004 and other standards.

The methodology employed is that set out in the Standard for quality and environmental management systems auditing ISO 19011:2002

The course is not IRCA registered but meets the training requirements of all the certification bodies for competence of Internal Auditors

Delegates who successfully complete the course will have sufficient knowledge of, and skills in, audit techniques to carry out internal audits of quality and/or environmental systems in their own organisations.

The twice yearly courses (April and November) are run locally in Colchester, Essex but bespoke courses can be arranged to be run in-house.

Next course 20 + 21 November 2008

For details and booking on this cost effective course, please see our Internal Audior Course page

Monday, 28 July 2008

ISO27001 Laptop Security

More and more details are emerging concerning lax security of data and I am becoming increasingly concerned at the absence of even basic precautions to prevent unauthorised disclosure of data.

There have been laptops stolen, lost or simply forgotten at airports which contain sensitive information. Not long ago a Cabinet Minister had a desktop computer stolen, which had data not normally allowed outside Whitehall. The Minister concerned told the Press that it was safe as it was protected by a password. There was incredulity among those present as passwords are so easily overcome. One wag even enquired if the password was 'PASSWORD'.

Desktops and laptops often store system passwords in cmos which is a volatile store chip within the computer and is kept alive by a small coin type battery on the motherboard. This same chip holds the date and other start-up data. If you remove the battery and leave it for a few minutes, this data is lost and the password is removed. The other type of start-up password is held in an encrypted form on hard disk.

It is relatively easy to boot the computer from a CD or alternative operating system, access the password files and delete them. Rebooting the computer in the normal way shows that the password has been removed.

I am no computer expert, but this easy routine is readily available on the internet and it beggars belief that anyone, let alone, those in Government think that their data is secure when 'protected' in this flimsy way.

In my job I travel widely and I have a laptop which is protected by a password but the data I carry is on a separate removable drive which is encrypted at file level so that even if the drive was stolen and put into another laptop the data could not be accessed.

I use Folder Lock to secure my data. There are many other programmes available but I like this one.

Folder Lock is a fast file-security program that can password-protect, lock, hide and encrypt any number of files, folders, drives, pictures and documents in seconds. Protected files are hidden, undeletable, inaccessible and highly secure. It hides files from anyone other than the authorised user, safeguards them from viruses, trojans, worms and spy ware, and even protects them from networked PCs, cable users and hackers. Files can also be protected on USB Flash Drives, Memory Sticks, CD-RW, floppies and notebooks. Protection works even if files are taken from one PC to another on a removable disk, without the need to install any software. It locks files in Windows, DOS and even Safe Modes.

I know that my sensitive files are protected and that my Clients data is protected.

Tuesday, 15 July 2008

BS OHSAS 18001:2007 Occupational Health & Safety Management

There has been a considerable increase in the number of enquiries that I have received for BS OHSAS 18001 certification. It seems that businesses are increasingly aware of the need not only to meet current legislation but to keep employees safe and morale high by demonstrating the 'OH' part (Occupational Health) as well as the safety element.

I have been offering Quality, Environmental and information security consultancy for many years but it became clear that I would need to include Health & Safety Management Consultancy as part of the service offered to Clients.

I enrolled in the BSI Certificate on Occupational Health & Safety Course, which is a distance learning system. There are eight modules provided on 3 CDs. Each module is concluded by an assignment. The assignments are marked by A BSI Tutor and the next module is commenced. The course material, both on the CD and in paper format was very good and gave me all the information I needed to pass the assignments. My Tutor was very complimentary about my assignments and there was only one instance where I needed to resubmit information.

Last Friday I received my Certificate and I am delighted that my knowledge has been greatly improved. I can see that the Standard 18001 is not just about Safety but also encompasses Health and wellbeing.

All in all I am very pleased with the result.

Monday, 30 June 2008

Integrated Management Systems

The old favorite ISO9001, quality Management Standard, is often combined with ISO14001, Environmental Management Standard and more and more a three way integration is being called for. The third element is BS OHSAS 18001, Occupational Health & Safety Standard. The advantage of having a truly integrated system is that there are elements of all three Standards that are similar or the same:

  • All three Standards have a document control requirement;

  • The control of records is specified in all three Standards;

  • Training, competence & awareness is seen in all three Standards;

  • All three Standards have a requirement for internal auditing;

  • Management review is seen as the lynch pin for all the Standards;

  • Monitoring and measuring devices are used in each Standard;

  • Continual Improvement is key to all three;

  • Corrective action and Preventive Action are prime requirements.

It is clear with this amount of synergy, the effort in putting the standards into place can be greatly reduced, as can the costs. The benefits to the organisation can be immense and the incorporation of an integrated management system says a great deal about you:

  • It says in clear and unequivocal terms that you care about the quality of your products and/or services.

  • You care about the degree to which your customers are satisfied.

  • You care about the environment and the effect your operation is having on the planet.

  • You care about the health, safety and welfare of your employees, contractors and visitors.

And finally that you are sufficiently confident to get these systems externally tested and certificated.

Many Companies looking to place contracts and purchase goods are looking for organisations that have ISO9001 and increasingly have green credentials as well and look after their staff and can demonstrate it.

An Integrated System is the answer.

Monday, 16 June 2008

Environmentally sound and safe as well

I drive many thousands of miles each year and to protect the environment I purchased a Honda Hybrid car in May 2007. This car uses a small petrol engine and an electric motor in an integrated propulsion unit.

The car returns some 45-50MPG and in addition is exempt from the London congestion charge. There is also a considerable saving in the car tax disc which is only £15 per year. All in all, I have been delighted with this car and recommended it to others.

Honda engineering also saved my life this week when I was involved in a crash which wrote off the car. The car was badly damaged but the driver's protection cell remained fully intact. My fear was that the car would catch fire, particularly with the high power batteries used within the car. My fears were unfounded. The Fire and Rescue Service cut the roof off the car so that they could slide me out on a spinal board. There was some concern that I may have had a whiplash injury. The Paramedics cut my suit off so that they could put a canula into my arm ready for any actions the hospital may need to carry out. The ambulance service took some Polaroid photographs of the scene and I was amazed that after being checked over at the hospital I was able to leave with no more that a bruise where the seat belt had been.
Had my car been an old one or one of a less robust nature then I doubt whether I would be writing this blog

Will I buy another Honda Hybrid?

I have already bought a new one to replace my one year old friend. I can drive it with confidence, knowing that in addition to doing my bit for the planet, Honda is doing all it can to ensure that I am safe in my car and even if the worst happens I have the best chance of surviving.

Thank you Honda

Monday, 2 June 2008

Security of Passwords ISO27001

Each year, just before the INFOSEC (Information Security Exhibition) a test is carried out to asses the level of security placed upon workplace passwords.

This year your password could be exchanged for a chocolate bar. It is still shocking that some 64% of people challenged outside Liverpool Street railway station in Central London, were prepared to give their passwords away for a paltry chocolate bar. The findings were further segmented when the split of sexes was added into the equation; more of those giving away their passwords were women.

Where the questions were extended to ask for telephone numbers, place of work and dates of birth in exchange for the chance to win a holiday then results were down but still more women than men gave their details but only just.

The only crumb of consolation is that the total numbers prepared to compromise their personal or work security is down on last year by about 20%.

Government and big business continues to exhibit a less than satisfactory level of care with our security; indeed another case where there had been a problem with email attachments resulted in a disc being sent by normal post. The disc contained important information but was only protected by a basic password, which the company admitted, could be broken in a matter of minutes. The disc did not arrive.

It is not known how many of the security details given away at Liverpool Street Station were genuine and how many were simply wrong, but working on the 70:30 principle a good number were genuine. It is fortunate that details obtained were not used for any unauthorised use.... but they could have been.

Vigilance is required to ensure security of all our systems

Tuesday, 20 May 2008

Corporate Manslaughter Act 2007 and BS OHSAS 18001

This Act of Parliament brings into law an offence of Corporate Manslaughter where a Company, Partnership or Owner can be found guilty of causing death by gross negligence. Previously it was necessary to prove that someone within a Company, Partnership or Owner was guilty of gross negligence.

Far from bringing relief to Company Director, Managing Partners and Owners, this could be a double edged sword as the organisation can be prosecuted as well as the Senior individual and Health and Safety Officer.

Here is part of the Act which gives guidelines for Jurors to consider when trying a case brought under the Corporate Manslaughter Act:

(1)(a) it is established that an organisation owed a relevant duty of care to a person, and
(b) it falls to the jury to decide whether there was a gross breach of that duty.

(2) The jury must consider whether the evidence shows that the organisation failed to comply with any health and safety legislation that relates to the alleged breach, and if so:

(a) how serious that failure was;
(b) how much of a risk of death it posed.

(3) The jury may also:

(a) consider the extent to which the evidence shows that there were attitudes, policies, systems or accepted practices within the organisation that were likely to have encouraged any such failure as is mentioned in subsection (2), or to have produced tolerance of it;

(b) have regard to any health and safety guidance that relates to the alleged breach.

(4) This section does not prevent the jury from having regard to any other matters they consider relevant.

(5) In this section "health and safety guidance" means any code, guidance, manual or similar publication that is concerned with health and safety matters and is made or issued (under a statutory provision or otherwise) by an authority responsible for the enforcement of any health and safety legislation.

Clearly under "any other matters that the Jury considers relevant" could include a defence that the organisation had 'taken all reasonable steps'; this could include a good Health & Safety Management System.

If this system complies with BS OHSAS 18001:2007 and is assessed and accepted by an accredited certification body then this defence is valid and should result in the jury finding that the accident was exactly that, 'an accident'.

The costs of incorporating 18001 and then having it formally assessed can be fully justified as an insurance against conviction against Corporate Manslaughter. It will also allow Directors, Managing Partners and Owners to sleep soundly in their beds, knowing that they have done everything possible to avoid death or injury in their enterprise.

Monday, 5 May 2008

What Value is an External Consultant?

Most companies holding a certification to ISO9001 have done so for many years and although the standard call for 'Continual Improvement' this is often product or service based and often reflects the normal organic growth. While there is nothing intrinsically wrong with this approach, Directors are not always taking advantage of the latest techniques and processes.

Many companies certified over five or six years may have a fairly large quality manual and processes to match; some of these will have been expanded as a result of auditors' comments and some by customers complaints or observations, but not all will add any value to the company's operation.

What is a good idea is to have someone have a look with fresh eyes at what you are doing; get a real heads-up on the latest techniques and ways to reduce the administrative burden of Systems Management.

This not only applies to ISO9001 but to all the other standards, Environmental, Information Security, Health & Safety, individual Product standards and others.
Professional consultants have verifiable qualifications and accreditations plus Professional Indemnity Insurance. Also any consultant will be able to furnish you with a list of satisfied clients with whom you can obtain references.

A good consultant is worth his/or her weight in gold; not only can an MOT actually save money it can result in greater efficiency. Remember an experienced consultant will have been involved with a number of organisations and will be able to use that experience to help you. Cherry picking the best practices and techniques while retaining strict confidentiality will add real value to your business.

There are other advantages, such as no holidays to pay for, no sickness or other absence to factor in and the best bit is you only pay for actual work performed.

Monday, 21 April 2008

OHSAS 18001 Health & Safety Management Standard

OHSAS 18001 has become one of the most widely recognised standard in the world. Last year the standard was adopted as a British Standard and can be formally assessed and certified.

What is OHSAS 18001?

18001 or more correctly BS OHSAS 18001:2007 (in the UK) is a registration scheme where an organisation's Health & Safety Management is assessed against a set of rules; if successful the organisation can use the logo to endorse the management system incorporated in the organisation. The logo along with the 'tick and Crown from UKAS' means that the company can demonstrate full compliance with the standard.

What does OHSAS 18001 cover?

The standard covers all elements of Health & Safety in the organisation and ensures that the Safety at Work legislation is fully implemented. With the ever increasing regulation and legislation it is important to have any internal systems validated. It may prevent inadvertent breaches of the Law and the prosecutions that may follow.
In short, all the health and safety activities normally carried out within a well ordered organisation.

Below is the BS OHSAS 18001 model which is designed to turn OH&S Policy, through planning and implementation into continual improvement of the Health & Safety system employed by the company.

The information gathered at every stage is fed to top management to allow for continual improvement. In this way the organisation is able to make decisions based on fact and so develop and evolve.
Many companies are opting for a fully integrated approach of Quality, Environmental and H&S in one management system.

Monday, 7 April 2008

ISO14001 Environmental Management Standard

What is ISO14001?

14001 is an externally assessed scheme where an organisations declared environmental practices are checked against a set of rules; if successful the organisation can use the logo to endorse the environmental management system incorporated in the organisation.

An additional advantage is that cost savings brought about by reductions in gas, electricity and fossil fuels can be significant.

What does ISO14001 cover?

The standard covers the impact on the environment made by the product (or service) from customer's order through order acceptance, design and development if appropriate, planning, production or service delivery and control of calibration devices. Also included is training and the selection of suppliers that are able to meet the organisation's environmental needs, together with controls on energy usage and waste generation.

The activities are those carried out by most 'Green' companies.
Below is the ISO14001 model which is designed to allow for continual improvement through planned and operated policy.

As is the case with ISO9001 (Quality Management Standard) the information gathered from the processes is fed to top management to allow for continual improvement. In this way the organisation is able to make decisions based on fact and so develop and evolve.

The two standards 9001 and 14001 are often integrated into a single management system.

Monday, 24 March 2008

ISO9001 Quality Management Standard

ISO9001 has become the most widely recognised standard in the world. In the UK the 'Crown and Tick' logo alongside the Certification Body shows that the certificate of registration is valid worldwide.

What is ISO9001?

9001 or more correctly BS EN ISO9001:2000 (in the UK) is a registration scheme where an organisation is assessed against a set of rules; if successful the organisation can use the logo to endorse the management system incorporated in the organisation.

What does ISO9001 cover?

The standard covers all stages of a product (or service) from customer's order through order acceptance, Design and development if appropriate, planning, production or service delivery and quality control checks such as inspection, and control of calibration devices. Also included are the selection of suppliers and purchase of goods, together with control of customer complaints and the measurement of customer satisfaction.

In short, all the activities normally carried out within a well ordered organisation. There is no rocket science involved.

Below is the ISO9001 model which is designed to turn customer enquiries into customer satisfaction:

The information gathered from the processes is fed to top management to allow for continual improvement. In this way the organisation is able to make decisions based on fact and so develop and evolve.

Sunday, 9 March 2008

Encryption and ISO27001

What is encryption?

Encryption is a method of scrambling a message or other data so that is cannot be read by an unauthorised person. Sadly it has become too easy to intercept messages and use them for illegal purposes. Encryption protects that data.

A simple encryption might be to use the alphabet In reverse:


'Please reply to this message' becomes KOVZHV IVKOB GL NVHHZV
Unfortunately this code would be broken very easily. A more secure system would use the shift method where the table is used but each letter is shifted to the right by 3 boxes.

'Please reply to this message' Now becomes SOSWVS FSHLE DI DPOE KSEEWQS. This is better but relies on the person receiving the message knowing the key (what method was used). This type of encryption would be broken in second by an experienced cracker.

Modern computers rely on even more secure methods:

The first of these is the SYMMETRIC KEY where the sender and the receiver know the key and the message is decrypted. Anyone else will see a jumble of letters.
The second method is known as PUBLIC KEY, a typical system uses PGP (pretty good privacy) and relies on a public key which is available in the message and a private key which is know to only to the sender and the receiver. Again anyone else will see gibberish.

The third method is known as DIGITAL CERTIFICATE where the certificate acts as a middleman, checking the identity of both the sender and the receiver; if both are genuine the certificate allows the message to be decrypted.

Additionally financial transactions use a secure system know as SSL (Secure Sockets Layer) the user will notice that the usual http:// is replaced by https:// and a small padlock is normally present on the web-site to show that SSL is in use. Credit Card transactions use this very secure method of encryption.

The Information Security Standard ISO27001 recommends the user of encryption to protect data.

Monday, 25 February 2008

ISO27001 Information Security

Data security, or lack of it is in the news almost daily and the news is pretty alarming. Report after report reveals, the often casual way, the shortfalls in care of our data.

Every cloud has a silver lining however; we have seen a huge increase in enquiries for consultancy in setting up ISO27001 systems. It seems that industry and commerce are taking data security very seriously, unlike the Revenue.

ISO27001 sets up a number of steps that protect data and other information from unauthorised access and release. It also ensures compliance with the Data Protection Act and ensures that companies are protected from litigation concerning data.

Surely it cannot be long before the Information Commissioner takes action or failing that litigation against those who loose or act in a cavalier manner with data under their care.

Every organisation employing ISO27001 can claim that they have used best practice and have taken all reasonable steps to ensure that the elements of Data Security have been employed. This is a valid defence in a Court of Law (if it should go that far).

C. I. A. are the main requirements:

  • To ensure that data is not compromised or released

  • To ensure that data is protected from unauthorised alteration

  • To ensure that data is available when and where required

If we all carry this out then there is hope for us yet.

At the moment, I for one, am unwilling to trust my valuable data to any organisation not complying fully with ISO27001.

Monday, 11 February 2008

Social Engineeering

Social engineering is the name given to attempts to gain secure information by gaining the trust of the person holding such information.

With Valentine's Day fast approaching, I recall methods used in the past to gain entry to some of London's most secure buildings.

Imagine the scene, a pretty girl with a teddy bear and a box of chocolates presents herself at reception, "It's a surprise for Jason Brown from his girlfriend and the bear, chocolates and message have to be delivered in person". The Receptionist says that security policies will not allow her in, but she pleads that this is an emergency, and trusting the girl, just this once, lets her in. Of course she isn't delivering a Valentines Gift, she has been sent to test the company security.

Imagine the second scenario, the telephone rings and the person on the other end explains that he is one of the IT engineers testing the company intranet and has foolishly gone to the data centre without taking his book of secure passwords, if he is found out he will probably be sacked; can the person please help him out this once and give him log in and password information. The result can be scary.

The third scenario is even more worrying; on a train station the offer is a free pen if the person will simply write their log in and password on a slip of paper. Each person so doing will be entered into a draw with the chance to win a holiday, one million pounds, or some other prize. Sadly too many people take up this offer and compromise their security systems.

This year with February 29 being the day when traditionally ladies can propose to their men it will be entirely possible that many secure buildings will be penetrated by women claiming to want to propose, and it must be surprise mustn't it?

And finally the smoking ban has had a very detrimental effect on security; the fire doors at the back of the building are left open to allow smokers to go out for a cigarette, and get back in afterwards. The social engineer will simply mingle with the smokers and follow them in. Security breached.

Thursday, 24 January 2008

Business Continuity Planning BS25999-2:2007

I wonder how many companies were faced with the same problem that I faced following the Christmas and New Year shutdown: my office landlord decided that he would turn off the heating during this period in order to save money. The net result was that the office, and more importantly the computer equipment, became very cold. Upon turning the heating back on, condensation formed and this caused the equipment to short out.

The resulting bang not only did my constitution no good, it meant that the computer equipment had to be repaired. Fortunately our company has a business continuity plan which was put into action and none of our clients were put to any inconvenience.

At the end of 2007 The British Standards Institute produced an new standard BS 25999-2 Business Continuity Management and its code of practice BS25999-1. This can be either a stand-alone system or as part of ISO27001 (Information Security Management Standard).

BS25999-2 sets out the requirements for BCM (business continuity management) and how any organisation can reduce or mitigate any incident which interrupts or degrades the company or its operations.

The main areas are:

  • Identify what potential risks could affect the company;

  • Know what equipment would be needed in the event of a loss of building/facility;

  • Keep copies of staff information off-site to be able to contact key personnel if required;

  • Plan who will do what and when;

  • Make contingency plans for staff if buildings are unavailable;

  • Keep copies of important information off-site;

  • Review and train everyone in the continuity plan and IT disaster recovery routine;

  • Test the plan regularly;

  • Learn lessons from any tests;

  • Ensure the plan is kept up to date.

Having a business continuity plan in place will not stop a disaster happening, but it certainly will ensure that its effect can be mitigated and will ensure that the company can be up and running in the shortest possible time.

It is important to note that many companies that have been subject to a major disaster and do not have a business continuity plan have gone out of business.

Be prepared. It is not only for boy scouts.

Thursday, 17 January 2008

Business Continuity Planning

Business continuity planning is one subject that is often left to the last minute but is one of great importance.

If you wait until 'something' happens, it could be too late. I have seen people wading in calf deep water looking for the stopcock; others reading the instructions on a fire extinguisher in the middle of a fire.

In reality we should all know what to do in an emergency well before the emergency happens and be prepared for most eventualities.

We have read about the terrorist attack, the dirty bomb and other major catastrophes but it is often the 'soft' disasters which can cause irreparable damage to a company.

One such problem occurred recently; the company uses a card entry system to gain access to the building. The server housing the operating system failed and prevented anyone entering the building. It was apparent that there was no manual override; people milled around outside the building, not really knowing what to do. Eventually someone broke a window to gain entry. Of course the alarm went off and before it could be turned off the police were on site; embarrassment all round.

The company has now put a system in place to override the card system if it fails in the future.

The winter season also means that illness will increase; how many companies have prepared for a flu epidemic? Sadly very few.

Companies that have incorporated ISO27001 (Information Security Management System) will have an emergency plan in place, regularly tested and validated. This together with an IT disaster Recovery Plan will be able to deal with most eventualities. The old saying that 'if you hope for the best but prepare for the worst' is a good mantra to use.

Companies that have suffered major disaster, like being in the vicinity of the Buncefield fuel depot fire, and did not have any business continuity plan have disappeared without trace. Insurance cover just didn't mitigate all the problems. Those companies that did have a plan in place, had difficulties but managed to survive.

It is a pity that, as of December 2007, there are only 363 companies in the UK certificated to ISO27001. It is a very big standard to achieve but the benefits are huge.

Thursday, 10 January 2008

IS09001 Quality Management Standards

In the UK there are some 6.6 million companies trading and of these over a million are certificated to ISO9001:2000. These companies have procedures and processes in place which are tested by independent certification bodies accredited by UKAS (The United Kingdom Accredited Service).

Companies certificated to ISO9001 have to provide evidence of their compliance to the standard.

This testing is repeated on a regular basis to ensure continued compliance.

Essentially, 9001 is a management system process to turn customer enquiries into customer satisfaction and provide information to the management of the company. The measure of customer satisfaction is an important one and must be measured in a proactive way. The absence of complaints is not a sure fire way of monitoring customer satisfaction; often dissatisfied customers will simply go elsewhere. The sad thing is that the company may never realise why customers do not return. The only way to find out how your customers perceive the quality of service they receive is to ASK them.

The other measures in 9001 are monitoring and measuring of processes and products which ensure that the resulting product (or service) really does meet requirements.

Nowadays 9001 is expected as an entry point for tenders; Government contracts often specify 9001 as a mandatory requirement. If companies do not have this, any submitted tender does not get past the starting gate.

One other point about 9001 certificated companies relates to survivability during tough times; 9001 are more likely to weather difficult times as they have documented and tested procedures in place to cope with problems.

Thursday, 3 January 2008

A Happy New Year (and a more secure one!)

We should all hope that 2008 is going to be a more secure year for our data. It seems that every day brings fresh news that our data has been compromised in one way or another. The chief culprits appear to be government departments which are being forced to own up to data breaches in the past rather than being found out by the Information commissioner.

In addition to lost disks, there are paper records discarded in public dustbins and lost laptops by the boat-load. Security which was trumpeted by ministers as being paramount seems to have been very low on their priority list in their own domains. It is also lamentable that there has been a deliberate policy of hiding the facts from those people most at risk.

We must be vigilant as these data breaches might not affect us until some date in the future. Criminals will wait until the furore has died down before using the data illegally.

Let us make sure that 2008 is a year of data security, here is a recap of precautions:

  • Always shred confidential documents or documents having identifiable data;

  • Never give passwords or log on information to email enquiries, telephone callers or visitors;

  • Be wary of emails directing you to a bank or other secure site which ask for personal information;

  • Do be aware that information put into social sites such as Facebook may be visible to people other than the intended audience. Dates of birth, names and addresses, telephone numbers and details of family can be used to steal identities.

  • Never dispose of old computers until the hard drives have been removed or destroyed; remember deleting or re-formatting the disk does not actually delete the data;

  • Never leave confidential documents on desks overnight or when unattended (clear desk policies);

  • Laptops should be secured with a multistrand cable to an immovable object like a radiator when unattended;

  • Laptops should be password protected;

  • Laptops should be encrypted if data is sensitive;

  • Never share passwords and use complex passwords to prevent other gaining access to desktops and laptops;

  • Never leave desktops and laptops logged in and unattended;

The list goes on and on but use common sense - assume that the worst may happen and take precautions to stop or at least reduce it.

Let us all have a Happy and safe New Year

Quality Matters

P.O.Box 5479

T: 01621 857841
F: 01621 856016
M: 07702 193788

© 2015 Quality Matters Ltd. All rights reserved. Responsive Design